Protecting Directories

The method described here for password-protecting web files is useful mainly for protecting entire directories and non-php files. It has the advantage of protecting non-php files such as static html pages, images, and pdf files. It has the disadvantages that it does not use single sign-on, it does not enforce a secure connection when asking for the viewer’s password, and the password file it uses is not updated immediately when a user changes their password.

This form of authentication is no longer allowed on home.sandiego.edu; special permission is required to use it on www.sandiego.edu.

By default, .htaccess files are disabled on the main web server. If you need to use .htaccess authentication, you’ll need to contact the webmaster and describe what .htaccess authentication provides that aren’t available in the Single Sign-on and File Downloads plugins.

Password-protecting directories

You can use a ‘.htaccess’ file to require passwords and usernames to enter certain directories. You can do this so that USD users have to type their standard USD e-mail username and password to get access to your page or pages. If you put a ‘.htaccess’ file into one of your web directories, the file will control web access to all pages within that directory.

Groups and users

You can combine both methods, and allow specific groups in as well as specific usernames. The following .htaccess file will let any faculty and students view the page, as well as the users ‘jerry’ and ‘artagnan’:

Your Own Groups

You can also make up your own groups and still let your readers use their USD passwords. You might want to do this if you are creating an area on your web site that is only for your class, for example. You can create a group that consists only of your students’ usernames.

You need to create a group file to do this. You can name it whatever you want. In your group file, use their USD username. For example, if you want to include fred@sandiego.edu, barney@sandiego.edu, and smithers@sandiego.edu in a group called ‘BBC’, the following line in your groups file will do it:

BBC: fred barney smithers

This way, you can make up your own groups without having to worry about creating and changing passwords. If you call your groups file “MyGroups” and put it in a directory in your account called “passinfo”, the ‘.htaccess’ file will look like:

You can put this file anywhere in your Unix account. I recommend not putting it inside your web directory.

Your Own Passwords

You can also create your own passwords. You’ll want to do this if your readers do not have standard USD usernames and passwords. This gets a little complicated. First, you need to create a password file. You do this with the ‘htpasswd’ command. The first time you do this, type:

htpasswd -c PasswordFilename FirstUser

For example, the following commands create a directory for your password info, and then a password for user ‘Tarzan’:

Suppose you’ve got a directory called ‘passinfo’ in your home directory, and you've created a file with a password for ‘Jane’ and ‘Tarzan’, called "passwords". You want to allow only Tarzan to get access to the files in this directory. Put the following in a file called ‘.htaccess’ in that directory, replacing ‘yourhome’ with the path to your home directory. (Type ‘pwd’ to find that out.) You can use ‘pico’ to create this file. Type pico .htaccess while you are ‘inside’ the folder you want to protect.

Now, when anyone tries to access pages in that directory, they’ll be asked for a username and password, and they’ll be told that it’s for “Jungle Financial Records”. They’ll only be allowed in if they enter “Tarzan” for the username, and Tarzan’s password for the password.

You’ll notice that this ‘.htaccess’ file does not have an “AuthGroupFile” command. This means that only the user specified has web access to those pages. Most of the time, however, you’re going to want to let a group of people in. To do that, you need to create a ‘Group’ file, just as you did to make your own USD group(s). In the above example, I’d create a file called ‘groups’ in my ‘passinfo’ directory, and put the following line into it:

Jungle: Tarzan Jane Cheetah
Tribes: Ngari Fred

This creates the ‘group’ called ‘Jungle’, with the members ‘Tarzan’, ‘Jane’, and ‘Cheetah’. It also creates a group called ‘Tribes’ with the members ‘Ngari’ and ‘Fred’. Each of those users must also appear in the specified password file. I’ll change my .htaccess file to the following:

Remember to change ‘yourhome’ to the path to your home directory! Now, any of Tarzan, Jane, and Cheetah can get in. But Ngari and Fred cannot.

Passwords and usernames are case sensitive.

Security

Because your password file must be readable by the web server, if you place it inside your public_html directory it will be visible to anyone on the net. You will probably want to create a special folder outside of your public_html directory, and store your password and group files there. This directory must also be readable by everyone:

chmod ugo+r filename
chmod ugo+x directoryname

Also, as this is a shared server, anyone who has access to the server can still read your password file. So you want to make sure your passwords are not easily guessable by a computer. Passwords that are made up of dates, names, or words are easily guessable. Random combinations of letters, numbers, and punctuation are not.

Secure Web Serving

Data sent over the net can easily be stolen. This includes the passwords that people are typing in to access your password-protected web pages. Those passwords are basically sent across the net in plain text.

All web pages on www.sandiego.edu can be served both securely and insecurely. Insecure serving is the default, since it is much faster. But if it is important that no one be able to steal those passwords, you can direct people to use the secure server. The URL for the secure server is exactly the same as the URL for the insecure server, but with ‘https’ at the front instead of ‘http’.

The single sign-on system does not require https, because it ensures that the password is sent over a secure connection regardless of whether the page is viewed as http or https. Insecure connections are often much faster than secure connections.

Comments

If you have comments or tips for readers of this page, you may post them here. Questions are more appropriately directed to the webmaster. Comment on this page